[Openswan Users] Hub-and-Spoke routing

[Mike C]

Hi,

I am trying to figure out if it is possible to perform a hub-and-spoke
ipsec setup where the hub can route traffic between spokes. I.e.
Situations where spokes are NAT'd but the Hub is not, so is reachable
by all. I'm trying to get A to reach C via B: A->B->C. Using openswan
2.6.36, linux 2.6.32.60-grsec with klips.

My attempts to do so locally have failed so far. I have:

Spoke A: 192.168.20.0/24, WAN 1.1.1.1
Hub     B: 192.168.18.0/24, WAN 2.2.2.2
Spoke C: 192.168.88.0/24, WAN 3.3.3.3

I created a VPN between the spokes and B using a /16 subnet so traffic
for C will be routed over the VPN:
 A-B: 192.168.20.0/24<-->192.168.0.0/16
 C-B: 192.168.88.0/24<-->192.168.0.0/16

A can ping B and B can ping A.
C can ping B and B can ping C.

I found the eroute list looked wrong on B (hub). Everything was going
via the second route. So changed it from (public IPs masked):

# /libexec/ipsec/eroute
0          192.168.0.0/16     -> 192.168.20.0/24    => tun0x1012 at 1.1.1.1
168        192.168.18.0/24    -> 192.168.0.0/16     => tun0x1001 at 3.3.3.3

to:

# /libexec/ipsec/eroute
84         192.168.0.0/16     -> 192.168.20.0/24    => tun0x1012 at 1.1.1.1
1103       192.168.0.0/16     -> 192.168.88.0/24    => tun0x1001 at 3.3.3.3

When I try have A ping C, and run wireshark on C, I see no traffic. As
far as I can see, the eroute counters on B don't increment at all
whereas they did when doing direct A-B, C-B pings.

Routing table for B:

2.2.2.1 dev ppp0  proto kernel  scope link  src 2.2.2.2
192.168.20.0/24 dev ipsec0  scope link  src 192.168.18.254
192.168.18.0/24 dev eth0  scope link  src 192.168.18.254
192.168.0.0/16 dev ipsec0  scope link  src 192.168.18.254
127.0.0.0/8 dev lo  scope link
default via 2.2.2.1 dev ppp0  src 2.2.2.2

Any ideas as to what is wrong, or if I'm barking up the wrong tree? If
I'm on the wrong track, can you advise on possible alternatives that I
could look into?

Thanks,

Mike